WordPress Login Security: 13 Ways to Secure Login Page
WordPress powers more than 2.6 million websites. Given this popularity, WordPress is a favorite target of cybercriminals. As a result, it is common to hear about security incidents targeting WordPress websites.
Fortunately, securing WordPress websites is all about observing certain best practices.
In this article, we’ll look at how you can secure your login page. Let’s get started!
Table of Content
- Why Should You Secure the WordPress Login Page?
- Top WordPress Login Security Practices To Protect the Login Page
- Final Thoughts
- Frequently Asked Questions
Why Should You Secure the WordPress Login Page?
The WordPress login page is the gatekeeper to your website. Very often, it's the only hurdle to accessing the WordPress dashboard.
You can imagine the consequences of the scenario where hackers manage to go through the login page. Depending upon the compromised account's privileges, they can access, modify, or even delete website content.
Given their structure, hackers often use brute force attacks on WordPress login pages. They deploy automated scripts that try hundreds of username and password combinations in an hour. Since WordPress doesn't have login rate limiting capabilities by default, an unprotected login page is an easy target for these scripts.
Top WordPress Login Security Practices
The good news is that securing the WordPress login page is pretty easy. You just need to keep the following best practices in mind, and the page will be protected from most threats.
1. Limit Login Attempts
WordPress places no restrictions on the number of attempts a user has to log into a website.
Unfortunately, this means hackers can brute-force their way into your website.
You can close this loophole by installing a plugin that limits the number of login attempts it is the best way to improve WordPress login security. These plugins monitor the login page and redirect the user when they fail several times (usually three or five attempts).
With LoginPress you can easily set up Limit Login. You can learn more about our guide on How To Limit Login Attempts in WordPress (Easy Guide).
2. Add CAPTCHA
CAPTCHA is another good option to secure your login page. It is like a shield to your website that protects it against bots and other automated malicious software. The CAPTCHA could easily be solved by a human but is hard for the bots.
You can use LoginPress to add reCAPTCHA to your login page.
For detailed information, see our guide on How To Implement The reCaptcha On Login Page With LoginPress.
3. Enforce Strong Passwords
A strong password is essential to the protection of the WordPress login page against brute force attacks.
A strong password generally has a combination of 10 to 15 alphabets (both cases), symbols, and numbers. If you need help, we suggest the Strong Password Generator to generate strong passwords with a click.
4. Change the Login Page URL
Everybody knows the URL structure of the WordPress login page. It generally looks like www.website.com/wp-admin/ or www.website.com/wp-login.php/.
As a general rule, it is a good practice to change this URL to make sure that hackers are unable to find it.
LoginPress offers a Hide Login add-on that allows you to change the login page URL to a custom URL.
For detailed information, see our guide on Hide Login.
5. Set Up Two-factor Authentication
Two-factor authentication (TFA) hardens the security of your WordPress website significantly. When TFA is enabled, website log-in requires a code in addition to the credentials. Since an app generates this code on your phone (or another device), any hacker will have difficulty cracking two security layers.
The code required as the additional log-in credential is generated randomly and frequently changes to ensure maximum protection.
TFA is not a default feature of WordPress. However, you can easily add it by installing any of the following plugins:
6. Automatic Session Logout
Auto session logouts protect your website pages (particularly, the login page) from snoopers. Users often forget to log out and close browser tabs. This leaves their sessions vulnerable to hijacking or simple eavesdropping.
By default, WordPress logs out the user 48 hours after the login session cookie expires. But if the user checks the "Remember Me" box, they’ll remain logged in for 14 days. To remedy the situation, use LoginPress to force automatic session logout.
7. Limit Login Access to Selected IP Addresses
If you have a list of trusted IP addresses, you can easily exclude all other IP addresses from accessing the login page. This ensures only the people you trust can log in from trusted network locations.
To enforce the IP address filter, add the following code to the top of .htaccess file.
<Files wp-login.php> order deny, allow Deny from all # whitelist your own IP address allow from xx.xxx.xx.xx #whitelist some other user's IP Address allow from xx.xxx.xx.xx </Files>
Note: Don’t forget to replace XXs with your IP addresses.
8. Disable Login Hints
WordPress shows error messages on failed login attempts that tell users whether their username or password is incorrect. These hints make the job of hackers easier by verifying that at least one part of the credentials are correct.
You can hide these login hints by adding the following code to your theme’s functions.php file. Note that the code snippet goes to the end of the file.
function no_wordpress_errors() return 'Something is wrong!'; add_filter( 'login_errors', 'no_wordpress_errors' )
9. Regularly Review User Accounts
User Audit should be a part of your website security audit checklist. Inactive user accounts are often how hackers burrow their way into your website.
As a rule, you should review users' details every month. During the process:
- You should delete unused/inactive accounts.
- Check user privileges.
- Change or update all credentials regularly (remember to email the new credentials to the users).
- Go through the activity logs.
10. Use SSL
If you haven't already, migrate your website to HTTPS by installing an SSL certificate. This simple step upgrades your login page security and ensures that no third party can listen in to guess the login credentials.
If your web host allows it, we suggest installing SSL certificates from Let's Encrypt. They are free and easy to set up.
Besides the free certificates, There are multiple paid SSL certificates out there and if you want to secure single domain or wildcard domains then, RapidSSL wildcard, comodo positive wildcard SSL, and Thawte wildcard SSL are a few better options. In the same way, there are single-domain and multiple domains SSL options in the market.
11. Use a Website Application Firewall
A website firewall is a filter that screens all incoming traffic. This filter prevents traffic from known and suspected malicious sources so that your website remains safe from common threats.
The firewall also stops brute force attacks and DDoS attacks on your website.
12. Disable XML-RPC
XML-RPC was intended to be a secure way of connecting your WordPress website with external applications. Unfortunately, these days, its cons far outweigh the benefits. For instance, hackers can use XML-RPC to mount DDoS and brute force attacks on your website.
If you aren't using Jetpack, you should plan to disable XML-RPC, either through a plugin or by adding a snippet to the .htaccess file.
13. Keep WordPress Updated
Every new WordPress version comes with a long list of fixes and upgrades to various platform components. That’s why you must upgrade your WordPress website to the latest stable version.
As a rule, you should enable auto-update for core WordPress files, so you won’t miss out on a critical update.
It’s important to secure your WordPress login page as it’s the most common target of cybercriminals. Fortunately, securing this page is all about following certain best practices and security precautions.
Let us know how many of these ideas you already have deployed on your website for improving WordPress login security.
Frequently Asked Questions
Is the WordPress login page secure?
Is WordPress secure from hackers?
That's all! You can also check out To Change The Theme for Your WordPress Website and How To Add Google Fonts With LoginPress.
Not using LoginPress yet?What are you waiting for?
- What’s New in WordPress 6.2 (Features and Screenshots)
- How to Add Custom Fields in WordPress User Registration Form
- How to Customize and Secure a WordPress Login Page
- How to Remove “Proudly powered by WordPress” Text From the Footer
- How to Change Your WordPress Login Page URL (4 Easy Steps)
- Benefits of Social Login for WordPress Site
- 5 Best Login Widget Plugins for your WordPress Site
- How Social Login Improves CRO on Your WordPress Site
- How to Add CAPTCHA to WordPress Login and Registration Form
- 2 Easy Ways to Unblock Limit Login Attempts in WordPress
- How to Add Front-End Login Page and Widget in WordPress
- 13 Best WordPress Login Page Design Examples
- How to Display Custom WordPress Footer on Login Page
- How to Redirect WooCommerce Users After Login
- How to Redirect Users to the Referrer Page After Login
- 8 Most Common WordPress Login Issues (How to Fix Them)
- 9 Best Social Sharing WordPress Plugins (Free and Paid)
- How to Create Custom Welcome Messages for Your WordPress Website
- How to Embed a Video on WordPress (3 Easy Ways)
- How to Hide WordPress Login Page From Hackers (4 Easy Methods)
- 9 Most Popular Social Media Login APIs
- 2022 WordPress Black Friday and Cyber Monday Deals
- 11 Best WordPress Affiliate Plugins to Try in 2023
- WordPress Login Security: 13 Ways to Secure Login Page
- 15 Best Jetpack Alternatives for WordPress Websites
- 10 Best PayPal Plugins for WordPress
- How to Duplicate a Page in WordPress
- 15 Must-Have WordPress Plugins for Bloggers in 2023
- 10 Best WordPress Backup Plugins To Try In 2022
- 9 Best RSS Feed Plugins for Your WordPress Site (Free and Paid)
- How to Upload a PDF to WordPress
- How to Add WordPress Login Widget to the Sidebar (Easy Guide)
- How to Unpublish Your WordPress Site (An Easy Guide)
- How to Change the Font Size on the WordPress
- How To Change The Theme for Your WordPress Website
- How to Add Social Login Plugin to WordPress Website (Easy Guide)
- How to Change Domain Name in WordPress
- How To Add Google Fonts With LoginPress
- How to Customize the WordPress Login Page (Easy Guide)
- How to Find the WordPress Login URL (Easy Guide)
- How to Easily Change the Login Logo in WordPress
- How To Use Vanta.Js as Background
- How to Change or Reset a WordPress Password (2023)
- LoginPress with GDPR to Make Your Site Compliant
- How to Redirect Users After Successful Login in WordPress
- Login Page Language Switcher in WordPress 5.9
- How To Limit Login Attempts in WordPress (Easy Guide)
- How to Use LoginPress with WordPress.com?
- 9 Best WordPress Login Plugins In 2023 (Expert Pick)
- How To Design WordPress Login Page Without Coding
- What Is xmlrpc.php In WordPress
- WordPress Security – Protect Website from Hackers
- How To Use LoginPress With WooCommerce?